This topic explains the process for upgrading domain controllers to Windows Server 2008 or Windows Server 2008 R2. This information is based on the experience of the Microsoft Customer Service and Support (CSS) team. This topic includes links to related information about the upgrade process.

For information about specific features in Active Directory Domain Services (AD DS) in Windows Server 2008, see Active Directory Domain Services Role (http://go.microsoft.com/fwlink/?LinkId=164414).

Some functionality that was available in previous versions of Windows Server is deprecated in Windows Server 2008. For example, SMTP Replication is removed by default. For more information, see article 947057 in the Microsoft Knowledge base (http://go.microsoft.com/fwlink/?LinkId=164416). The Browser Service is disabled by default in Windows Server 2008 and Windows Server 2008 R2 domain controllers.

In Windows Server 2008 R2, Dcpromo.exe does not allow the creation of a domain that has a single-label Domain Name System (DNS) name. If you try to promote an additional domain controller in a domain that has a single-label DNS name (such as contoso, instead of contoso.com), the check box to install a DNS server is not available in Dcpromo.exe. Upgrading Windows Server 2003 domain controllers in Windows Server 2008 R2 and Windows Server 2008 R2 single-label domains is supported. Promoting additional Windows Server 2008 R2 and Windows Server 2008 R2 domain controllers into existing single-label DNS domains is supported.

Windows Server 2008 R2 does not support MSMQ in domain mode for Windows NT 4 and Windows 2000 MSMQ clients running against Windows Server 2008 R2 domain controllers that have no Windows Server 2003 or Windows Server 2008 domain controllers in the same environment.

For system requirements for Windows Server 2008, see “System Requirements” in Installing Windows Server 2008 (http://go.microsoft.com/fwlink/?LinkId=164421).

For disk-space requirements for AD DS in Windows Server 2008, see Disk space and component location issues in Known Issues for Installing and Removing AD DS (http://go.microsoft.com/fwlink/?LinkId=164423).

For disk-space requirements for AD DS in Windows Server 2008 R2, see Disk space and component location issues in Known Issues for Installing and Removing AD DS (http://go.microsoft.com/fwlink/?LinkID=164423).

The AD DS database (Ntds.dit) on Windows Server 2008 R2 domain controllers can be larger than in previous versions of Windows, for the following reasons:

There are changes in the online defragmentation process on Windows Server 2008 R2 domain controllers.

Windows Server 2008 R2 Adprep /forestprep adds two new indices on the large link table.

The Active Directory database on a Windows Server 2008 domain controller that is promoted into a Windows 2000 domain should be a size that is similar to the size of the Active Directory databases on the Windows 2000 domain controllers. While Windows Server 2008 R2 additions increase the database size, the addition of a single-instance store that is supported by domain controllers that run Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, or Windows Server 2008 R2 offsets that increase. Windows Server 2008 R2 domain controllers are estimated to be 10 percent larger than Windows Server 2008 domain controllers, not counting the Active Directory Recycle Bin.

In a production Windows Server 2008 R2 domain at Microsoft, the Active Directory Recycle Bin feature increased the database size by an additional 15 to 20 percent of the original AD DS database size, using the default deletedObjectLifetime and recycledObjectLifetime values of 180 days. Additional space requirements depend on the size and count of the objects that can be recycled.

If an in-place upgrade to Windows Server 2008 or Windows Server 2008 R2 rolls back silently to the previous operating system version, check for sufficient free disk space on the partitions that host the AD DS database and log files.

Windows Server 2008 R2 does not allow outbound trusts to be created between domains that have domain controllers that run Windows Server 2008 R2 and Windows NT 4 domains. Windows Server 2008 R2 inbound trusts with Windows NT 4.0 domains can be made to work but are not tested or supported. This can have an impact on the sequence in which you choose to upgrade domains and domain controllers.

For example, suppose a domain with Windows Server 2003 domain controllers has a trust with a domain that has Windows NT 4 domain controllers. In this situation, you need to replace the domain controllers in the Windows NT 4 domain with domain controllers that run Windows 2000 or later before you upgrade or replace domain controllers in the Windows Server 2003 domain. If the domain controllers in the Windows Server 2003 domain are replaced or upgraded first in this situation, the trust between the domains will no longer function.

first

If you replace domain controllers, use the metadata cleanup method in Windows Server 2008 and Windows Server 2008 R2. Manually remove DNS and Windows Internet Name Service (WINS) records for the original role holder. For more information, see Clean Up Server Metadata (http://go.microsoft.com/fwlink/?LinkId=148150).

If you want to migrate the AD DS server role, DNS server roles, IP address, computer name, and supporting configuration state, from an existing server to a new Windows Server 2008 or Windows Server 2008 R2 destination server, see AD DS and DNS Server Migration: Migrating the AD DS and DNS Server Roles (http://go.microsoft.com/fwlink/?LinkId=177812). For example, refer to this article if you want to ensure that the new server has the same IP address or server name as the legacy server, or if you have made configuration changes, such as registry changes or file-based DNS zones, on the legacy DNS server and you want them retained on the new DNS server.

Features that are enabled for Windows Server 2008 and Windows Server 2008 R2 domain and forest functional levels are documented in Understanding Domain and Forest Functionality (http://go.microsoft.com/fwlink/?LinkId=164555). Domain and forest functional level requirements for the deployment of Windows Server 2008 and Windows Server 2008 R2 domain controllers are as follows:

Adprep /forestprep does not have any domain or forest functional level requirements.

There are new well-known and built-in groups that area created after you upgrade or transfer the domain controller that holds the role of the primary domain controller (PDC) emulator master in each domain in the forest to Windows Server 2008 or Windows Server 2008 R2, or after you add a read-only domain controller (RODC) to your domain. For more information, see Appendix A: Background Information for Upgrading Active Directory Domains.

There are no changes in Windows Server 2008 or Windows Server 2008 R2 to recommendations for placing operations master roles (also known as flexible single master operations or FSMO). For more information about current recommendations, see Planning Operations Master Role Placement (http://go.microsoft.com/fwlink/?LinkId=185222).

Not tested by Windows product groups and therefore not supported. CSS can provide best-effort support, but escalation support or hotfixes will not be provided.

Improved default security settings block domain join and maintaining a secure channel. Although not recommended, those operations can work after default security settings are relaxed. For more information, see article 942564 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=164558).

Secure channels between computers running Windows NT 4.0 and Windows 7 or Windows Server 2008 R2 are not tested by Windows product groups and are therefore not supported. Affected operations include validation of trusts, creation of outbound trusts, domain joins, and authentications over secure channels. CSS can provide best-effort support, but escalation support or hotfixes will not be provided.

Improved default security settings block establishing and maintaining domain join and a secure channel but those operations can work after default security settings are changed.

For more information about outbound trusts between Windows Server 2008 R2 and Windows NT 4 domains, see article 2021766 (http://go.microsoft.com/fwlink/?LinkID=205835).

For more information about which versions of Microsoft Exchange Server can interoperate with different versions of Windows, see Exchange Server Supportability Matrix (http://go.microsoft.com/fwlink/?LinkID=165034).

The Group Chat feature in Office Communications Server 2007 R2 does not work in Windows Server 2008 R2 domains. For more information, see article 982020 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=190459), For more information about using Office Communications Server 2007 R2 with domain controllers that have different versions of Windows Server and different domain and forest functional levels, see Supported Active Directory Environments by Office Communications Server Version (http://go.microsoft.com/fwlink/?LinkId=190457).

For a list of applications that are compatible or incompatible with Windows Server 2008, see article 948680 (http://go.microsoft.com/fwlink/?LinkId=184903) in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=184903).

For a list of applications that are compatible with RODCs, see Applications That Are Known to Work with RODCs (http://go.microsoft.com/fwlink/?LinkID=133779). Exchange Server requires a writable domain controller; therefore, it does not work with RODCs.

It is not required to upgrade a certification authority (CA) that runs Windows Server 2003 when you upgrade domain controllers that run Windows Server 2003. But Windows Server 2008 and Windows Server 2008 R2 provide many new features and improvements related to CAs. For more information about what is new in Windows Server 2008, see Active Directory Certificate Services Role (http://technet.microsoft.com/en-us/library/cc753254(WS.10).aspx). For more information about what is new in Windows Server 2008 R2, see What's New in Active Directory Certificate Services(http://technet.microsoft.com/en-us/library/dd448537(WS.10).aspx).

VM guests fail to start with error "insufficient system resources" when the AD DS server role is added to a RemoteFX-enabled Windows Server 2008 R2 SP1 Hyper-V host computer. The best practice is to not install the AD DS (domain controller) role on a computer that also hosts the Hyper-V server role. If you must have the Hyper-V and the AD DS roles installed on the same physical computer, do not install RemoteFX, a subcomponent of the Remote Desktop Virtual host.

Windows Vista and Windows Server 2008 and later operating systems use a higher range of ports for outgoing connections than previous versions of Windows. The new default start port is 49152, and the default end port is 65535. If you receive errors indicating that “the endpoint mapper is out of endpoints,” especially after retiring domain controllers that run Windows 2000 or Windows Server 2003, you might need to reconfigure firewalls and routers to use the new default port range. For more information, see article 929851 (http://go.microsoft.com/fwlink/?LinkID=153117).

The following table lists known issues for DNS servers and how to resolve them, including applicable hotfixes.

Known Issue

How to resolve

Domain controllers that host Active Directory–integrated DNS zones and point to themselves as Preferred DNS servers experience lengthy startup times of 20 minutes or longer and see Event ID 4013 in the DNS log.

When you open the DNS snap-in, you might see the following error message:

“The Server Win2k8DC could not be contacted. The error was: The server is unavailable. Would you like to add it anyway?”

When you open Active Directory Users and Computers, you might see this error message:

“Naming information could not be located.”

This error occurs when the DNS Server service is waiting for initial synchronization of AD DS to complete, but AD DS initial synchronization cannot complete because DNS records that must be resolved are stored in Active Directory–integrated zones cannot be accessed by the local DNS server.

Try the following configuration changes to prevent the condition that logs Event ID 4013:

Remove references in AD DS to domain controllers that no longer exist.

Resume operations for domain controllers that are currently offline in your Active Directory forest.

If you notice queries that used to work on DNS servers that run Windows 2000, Windows Server 2003, or Windows Server 2008 fail after those DNS servers are upgraded or replaced with DNS servers that run Windows Server 2008 R2 or you notice that queries that the old DNS servers can resolve cannot be resolved by Windows Server 2008 R2 DNS servers, disable EDNS by using the following command:

This section describes interoperability issues for IPv6 and AAAA resource records for DNS servers that run different versions of Windows Server. For more information about using DNS with IPV4 and IPv6, see Configuring DNS for IPv6/IPv4 Coexistence (http://go.microsoft.com/fwlink/?LinkId=186688).

When you log on or log off from a domain with a newly built client computer, you experience delays of about 5 to 10 minutes. This problem appears after you join the computer to an Active Directory domain. This affects computers that run Windows Vista, Windows 7, Windows Server 2008, or Windows Server 2008 R2. The problem is caused by lack of connectivity between the client computer and the forest root domain controllers. For more information about the cause of this problem and the steps to take to resolve it, see article 971198 (http://go.microsoft.com/fwlink/?LinkId=184883) in the Microsoft Knowledge Base.

If you deploy a domain controller that runs Windows Server 2008 R2 into an existing domain that contains Windows Server 2003 and Windows Server 2008 domain controllers and you run a service account that has the Use DES encryption types for this account check box selected, you might see Event ID 16 in the System log of the domain controller that runs Windows Server 2008 R2, even after you enable Data Encryption Standard (DES) encryption for Windows Server 2008 R2 (which is disabled by default). Windows Server 2003 and Windows Server 2008 domain controllers service authentication requests without error.

This problem occurs because Windows Server 2008 R2 domain controllers fail to use a second data structure BLOB that contains DES encryption settings, even though that structure was successfully inbound-replicated by the authenticating Windows Server 2008 R2 domain controller. This problem is fixed on domain controllers that run Windows Server 2008 R2 with SP1.

To resolve this problem on a domain controller that runs Windows Server 2008 R2 without SP1:

Link or modify a Group Policy object (GPO) on the domain controller’s organizational unit (OU) that enables the DES encryption.

For more information, see article 977321 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=177717). Make sure that the policy is configured to enable all encryption types.

Select the Use DES encryption types for this account check box on the SAP Service account in the Active Directory Users and Computers snap-in.

Install the hotfix from article 978055 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=185219) on all domain controllers that run Windows Server 2008 R2 without SP1. You can install the hotfix without removing and reinstalling AD DS on existing domain controllers.

Third-party Server Message Block (SMB) clients may be incompatible with the secure default settings on Windows Server 2008 and Windows Server 2008 R2 domain controllers. In all cases, these settings can be relaxed to allow interoperability at the expense of security. For more information, see article 942564 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=164558).

Regardless of the virtual host software product that you are using, read Running Domain Controllers in Hyper-V (http://go.microsoft.com/fwlink/?LinkID=139651) for special requirements related to running virtualized domain controllers. Specific requirements include the following:

Avoid single points of failure such as having all domain controllers in a domain or forest on the same VM host, or the same SAN or datacenter, and so on.

Do not stop or pause domain controllers.

Do not restore snapshots of domain controller role computers. This action causes an update sequence number (USN) rollback that can result in permanent inconsistencies between domain controller databases.

All physical-to-virtual (P2V) conversions for domain controller role computers should be done in offline mode. System Center Virtual Machine Manager enforces this for Hyper-V. For information about other virtualization software, see the vendor documentation.

Configure virtualized domain controllers to synchronize with a time source in accordance with the recommendations for your hosting software.

For more considerations about running domain controllers in virtual machines, see article 888794 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=141292).

The following changes have been made to local and remote administration tools for the Windows Server 2008 and Windows Server 2008 R2 operating systems.

The installation of a server role, such as Active Directory Domain Services, by Server Manager also locally installs all GUI and command-line tools that you can use to administer that role. To install tools locally to manage other server roles, click Add Features in Server Manager.

The GUI and command-line tools that were formerly in the Administrative Tools Pack (ADMINPACK.MSI), Support Tools (SUPPTOOLS.MSI), and Resource Kit tools have been consolidated into a single collection called Remote Server Administration Tools (RSAT), which you can obtain from the Microsoft Download Center and install on client operating systems such as Windows Vista or Windows 7.

As 64-bit hardware and operating systems became more popular, x86-based (32-bit) and x64-based (64-bit) versions of administration tools were released.

Additional steps are required to make the administration tools that RSAT installs appear in the Start menu of Windows Vista computers. For these additional steps, see the following procedure.

In the Customize Start Menu dialog box, scroll down to System administrative tools, and then click Display on the All Programs menu and the Start menu.

Click OK.

As a general rule, the administrative tools only install and run correctly on the operating system versions with which they were released. For example, the Windows Server 2008 administration tools install and run only on Windows Vista client computers and Windows Server 2008 server computers. As another example, if you try to administer Windows Server 2008 R2 DNS servers using The DNS snap-in or Dnscmd.exe from Windows Server 2003, you receive “access is denied” errors.

Administration tools whose files are copied from the server operating system disk will generally not execute on the corresponding client operating system and are not supported. For example, tools that are copied from the Windows Server 2008 operating system disk to Windows Vista will not work. Instead of copying the tools, download the correct version of RSAT for the client computers that you use to administer servers.

Windows Server 2008 and Windows Server 2008 R2 domain controllers added time-rollback protection to help prevent domain controllers from adopting bad time. We recommend that you add time-rollback protection on Windows Server 2003 domain controllers and Windows Server 2008 and Windows Server 2008 R2 Hyper-V hosts by using Group Policy, making sure that you have the policy detail fixes in place before you do. For more information, see article 884776 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=178255).

Finally, time on workgroup virtual host and domain-joined virtual host computers should be configured as follows:

All domain controllers in the forest should meet the following conditions:

Be online.

Be healthy (Run dcdiag /v to see if there are any problems.)

Have successfully inbound-replicated and outbound-replicated all locally held Active Directory partitions (repadmin /showrepl * /csv viewed in Excel). For more information, see “CSV Format” in Repadmin Requirements, Syntax, and Parameter Descriptions (http://go.microsoft.com/fwlink/?LinkID=147380).

Have successfully inbound-replicated and outbound-replicated SYSVOL.

Metadata for stale or nonexistent domain controllers, or domain controllers that cannot be made to replicate, should be removed from their respective domains. For more information, see Clean Up Server Metadata (http://go.microsoft.com/fwlink/?LinkId=148150).

All domains must be at the Windows 2000 native functional level or higher to run adprep /domainprep. Windows NT 4.0 domain controllers are not permitted in this functional level.

Have sufficient free disk space to accommodate the upgrade.

For more information about disk-space requirements for Windows Server 2008 and Windows Server 2008 R2, see System requirements for installing Windows Server 2008 and Windows Server 2008 R2. The task for administrators is to accurately forecast the immediate and long-term growth for Ntds.dit files on Windows Server 2008 and Windows Server 2008 R2 domain controllers so that hard drives and partitions that host Active Directory files can be sized properly on physical and virtual domain controllers.

For upgrades to either Windows Server 2008 or Windows Server 2008 R2, create integrated installation media (“slipstream”) by adding the latest service pack and hotfixes for your operating system. As of September 2009, the latest service pack for Windows Server 2008 is Service Pack 2 (SP2). For information about obtaining the latest service pack, see article 968849 in the Microsoft Knowledge base (http://go.microsoft.com/fwlink/?LinkId=164585) and see Installing Windows Server 2008 with Service Pack 2 (http://go.microsoft.com/fwlink/?LinkId=164586). Windows Server 2008 R2 includes updates from Windows Server 2008 SP2. To make sure that you have all of the latest updates, see Windows Update (http://go.microsoft.com/fwlink/?LinkID=47290) or see article 968849 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=164585) for download information.

If you are deploying RODCs, review article 944043 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=122974). Download and install the hotfixes on the Windows computers and scenarios that apply to your computing environment.

Occurs only on x64-based server upgrades in Dynamic DST time zones. To see if your servers are affected, click the taskbar clock. If the clock fly-out indicates a time zone problem, click the link to open the date and time control panel.

Some deleted objects that are nearing the tombstone lifetime may still exist on the source of a replication agreement and have an attribute added to the partial attribute set of the object that should be replicated out. If the same object was garbage-collected on the target domain controller when it was replicated, the destination domain controller logs Event ID 1988 and possibly Event ID 1388.

MIIS 2003 and ILM 2007 will work with a forest upgrade to Windows Server 2008 R2 as long as the Active Directory Recycle Bin feature is not enabled. Use ILM 2007 SP1 or FIM 2010 to synchronize operations that involve Active Directory Recycle Bin.

Identify the domain controller that holds the schema operations master role (also known as flexible single master operations or FSMO role) and verify that it has inbound-replicated the schema partition since startup:

Run the dcdiag /test:knowsofroleholders command. If the schema role is assigned to a domain controller with a deleted NTDS settings object, follow the steps in article 255504 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=70776) to seize the role to a live domain controller in the forest root domain.

Log on to the schema operations master with an account that has Enterprise Admins, Schema Admins, and Domain Admins credentials in the forest root domain. By default, the built-in administrator account in a forest root domain has these credentials.

On the schema master, run the repadmin /showreps command. If schema master has inbound-replicated the schema partition since startup, continue to the next step. Otherwise, use the replicate now command Dssite.msc to trigger inbound replication of the schema partition to the schema master. (See Force replication over a connection (http://go.microsoft.com/fwlink/?LinkId=164634)). You can also use the repadmin /replicate <name of schema master> <GUID of replication partner> command. The showreps command returns the globally unique identifier (GUID) of all replication partners of the schema master.

Locate the correct version of Adprep for your upgrade:

The Windows Server 2008 installation media contain one version of adprep, Adprep.exe, in the \sources\adprep folder Windows Server 2008 installation disk, that runs on both x86-based and x64-based operations masters.

If you copy Adprep.exe from the installation media to a local computer or a network share, copy the entire adprep folder and provide the full path to the Adprep.exe file.

Update the forest schema with adprep /forestprep.

While you are still logged on to the console of the schema master with an account that has Enterprise Admins, Schema Admin, and Domain Admin credentials, run the appropriate version of adprep /forestprep from the Windows Server 2008 or Windows Server 2008 R2 installation media. Specify the full path to Adprep.exe to prevent running another version of Adprep that may be present in the PATH environment variable.

For example, if you are running the Windows Server 2008 version of Adprep from a DVD drive or network path that is assigned the drive letter D:, the command to run is as follows:

You do not have to run Windows Server 2008 R2 adprep /rodcprep in a forest that has already been prepared with Windows Server 2008 adprep /rodcprep. Proceed to adprep /domainprep.

If you are deploying RODCs for the first time:

While still logged on with Enterprise Admins credentials on the schema master, run adprep /rodcprep.

Note

Rodcprep will run on any member computer or domain controller in the forest if you are logged on with Enterprise Admin credentials. You can run adprep /rodcprep before or after adprep /domainprep. We recommend running adprep /rodcprep on the schema master immediately after adprep /forestprep as a matter of convenience because that operation also requires Enterprise Admins credentials.

For Windows Server 2008 Rodcprep, specify the full path to Adprep. For example, if the DVD or network path is assigned drive D:, run the following command:

Before you deploy RODCs, install the RODC compatibility pack on computers that Windows XP or Windows Server 2003 as needed. For more information, see article 944043 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=122974).

If you have the Japanese language locale installed on Windows Server 2003 domain controllers that are being upgraded in place to Windows Server 2008, read and comply with article 949189 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=164588).

If the Active Directory Migration Tool (ADMT) version 3.1 is installed on a Windows Server 2003 or Windows Server 2008 domain controller that is being upgraded to Windows Server 2008 R2, uninstall ADMT 3.1 before the upgrade.

When promoting new domain controllers, make sure that object information about the newly promoted domain controllers (the computer account in the domain partition and the NTDS Settings object in the configuration partition) has outbound replicated to a sufficient number of domain controllers that are remaining in the forest before you retire the only domain controller in the forest that has that object information. For example, if you promote DC2 and use DC1 as the helper domain controller, then make sure that DC1 has outbound replicated object information about DC2 to other domain controllers before you retire DC1. This is particularly an issue where the helper domain controllers used by newly promoted domain controllers are rapidly demoted before outbound reapplication takes place.

Run <dvd or network path>:\setup.exe.

Read article 942564 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=164558) and consider the right setting for the AllowNT4Cryto policy for your environment.

If you have remotely encrypted Encrypting File System (EFS) files on Windows Server 2003 computers that are being upgraded in place to Windows Server 2008, read and comply with article 948690 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=106115). This problem does not apply to domain controllers that are upgraded to Windows Server 2008 R2.

Consider installing the following fixes after the in-place upgrade unless they are integrated into your installation media:

If you are using Group Policy Preferences on Windows Vista or Windows Server 2008 computers, download the July 2009 update to article 943729 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=164591).

Download the fix for a Group Policy Management Console (GPMC) filter bug in article 949360 (http://go.microsoft.com/fwlink/?LinkID=184908) in the Microsoft Knowledge Base.

If you use devolution (as opposed to suffix search lists) to resolve DNS queries for single-label and non-fully qualified DNS names, download the DNS devolution fix. See article 957579 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=166140).

Verify that the target domain is at the Windows 2000 native domain functional level or higher.

If you are promoting Windows Server 2008 domain controllers that are configured to use the Japanese language, read and comply with article 949189 in the Microsoft Knowledge base (http://go.microsoft.com/fwlink/?LinkID=164588). The hotfix should be installed immediately after promotion and before the first boot into normal mode.

From the Windows Start menu, run Dcpromo.exe (or install the Active Directory Domain Services Role in Server Manager, and then run Dcpromo).

When the AllowNT4Crytpo page appears, read article 942564 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=164558) consider the right setting for AllowNT4Cryto for your environment.

If you encounter an error, see the list of Dcpromo errors at the end of this topic.

Do the following if you are performing an in-place upgrade of Windows Server 2008 RODCs into existing Windows Server 2003 domains, Windows Server 2008 domains, or domains that have a mix of those operating systems:

If the option to install RODC is not available in Dcpromo, verify that the forest functional level is Windows Server 2003 or higher.

If the option to install RODC is not available and the error message indicates that there is no Windows Server 2008 in the domain, verify that a Windows Server 2008 domain controller exists in the domain and that it is accessible on the network to the RODC that you are promoting.

If an error message indicates that access is denied, see the Microsoft Knowledge Base.

Make a system state backup of upgraded and newly promoted domain controllers. If you promoted the first domain controller in a new domain and do not yet have additional domain controllers, making a system state backup is more important for recovering accidental deletions. For more information, see AD DS Backup and Recovery Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkId=190448).

Use only Active Directory–aware backup applications to restore domain controllers or roll back the contents of AD DS. Restoring snapshots that were created by imaging software is not supported on domain controllers.

Article 981370 (http://go.microsoft.com/fwlink/?LinkId=206168):The DNS Server service on an RODC does not respond to DNS queries for several minutes if the link to some RWDCs breaks in Windows Server 2008

Article 2413670 (http://go.microsoft.com/fwlink/?LinkId=214821) Events 1659, 1481, and 1173 are recorded in the Directory Service event log on Windows Server 2008 R2-based domain controllers after you remove Active Directory Domain Services from the last domain controller in a tree root domain

Article 2413670 Events 1659, 1481, and 1173 are recorded in the Directory Service event log on Windows Server 2008 R2-based domain controllers after you remove Active Directory Domain Services from the last domain controller in a tree root domain

If you are deploying RODCs, install the hotfix in article 953392 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=150337) on all Windows Server 2008 writable domain controllers. This fix is not required on Windows Server 2008 R2 writable domain controllers.

Read article 944043 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=122974), and install the corrective fixes on the Windows client and server computers that are affected by the scenarios that are listed in the Knowledge Base article.

This section describes errors in Adprep.exe and Dcpromo.exe. If you encounter an error that is not covered, search site:Microsoft.com: “error description” or post your problem to the following community sites:

If an error message indicates that the schema operations master is assigned to a deleted domain controller, see the Microsoft Knowledge Base.

If the error message says “Adprep was unable to extend the schema” or “Adprep failed to verify whether the schema master has completed a replication cycle after last reboot,” verify that the schema master has inbound-replicated the schema partition since the reboot. See Force a replication event with all partners in Forcing Replication (http://go.microsoft.com/fwlink/?LinkId=164668), and run the repadmin /syncall command.

If the error message says “There is a schema conflict with Exchange 2000. The schema is not upgraded.”, see article 314649 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=166190).

If the error message says ”An attribute with the same link identifier already exists,” see article 969307 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=164670).

For all other error messages, run a query for the error message that is enclosed in quotation marks at Microsoft Help and Support (http://go.microsoft.com/fwlink/?LinkID=56290).

If Rodcprep fails with the error message “Adprep could not contact a replica for partition <distinguished name for the forest-wide or domain-wide DNS application partition>” that is documented in article 949257 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=140285), run the Fixfsmo.vbs script in the same article, and then rerun Rodcprep until it runs successfully.

For all other error messages, run a query for the error message that is enclosed in quotation marks at Microsoft Help and Support (http://go.microsoft.com/fwlink/?LinkID=56290).

If the upgrade rolls back without any onscreen error or recorded error in a debug log, verify that you have sufficient free disk space on the volumes that are hosting %systemdrive, Ntds.dit, and SYSVOL.

If an error message says "To install a domain controller into this Active Directory forest, you must first prepare the forest using ""adprep /forestprep""… ", verify that /forestprep has been run and that the helper domain controller has inbound-replicated /forestprep changes. For more information, see Running adprep.exe (http://go.microsoft.com/fwlink/?LinkID=142597).

If an error message says "To install a domain controller into this Active Directory domain, you must first prepare the forest using ""adprep /domainprep""…” and verify that /domainprep has been run and that the helper domain controller has inbound-replicated /domainprep changes. For more information, see Running adprep.exe (http://go.microsoft.com/fwlink/?LinkID=142597).

The cause is that the computer being promoted has identified a previously promoted computer account in the target domain with the same host name.

To resolve this error:

If computer being promoted is replacing a previously demoted domain controller with the same computer name, verify that metadata for demoted domain controller is removed from AD DS, and retry the promotion. For more information, see Cleaning metadata of removed writable domain controllers.

If then error persists, review the %systemroot%\debug\DCPROMOUI.LOG to identify the name of the replication source domain controller that is being used by domain controller being promoted.

Verify that the replication source domain controller has inbound replicated the removal of the conflicting domain controller account. Failure of the removal to replicate to the source domain controller could be caused by replication failure or replication latency.

The error can have other root causes. For more information, see the following articles in the Microsoft Knowledge Base:

“You cannot install an additional domain controller at this time because the RID master <domain controller name> is offline” or “You will not be able to install a writable domain controller at this time because the RID master <domain controller name> is offline. Do you want to continue?”

The cause is that Dcpromo attempts to identify the owner of the RID Master role by reading the fsmoRoleOwner attribute of CN=RID Manager$,CN=System,DC=<domain> and extracting the dnsHostName of the RID Master. Dcpromo then tries to initiate an LDAP connection over port 389 to the RID Master Server using its fully qualified computer name. If the LDAP connection fails for any reason, Dcpromo determines the RID Master to be offline. Initial sync failures by the RID FSMO should not cause this error.

The output of the repadmin command will include the fSMORoleOwner. If the fSMORoleOwner distinguished name path that is returned from the command in the previous step is mangled or assigned to a deleted domain controller, remove the metadata for that domain controller and seize the role to a live domain controller that hosts a writable copy of the domain partition.

Verify that RID master role is assigned to a live domain controller that has successfully inbound-replicated the domain directory partition since it last restarted from at least one other domain controller in the same domain.

If the current role holder is the only live domain controller in the domain but its copy of Active Directory or AD DS refers to domain controllers that no longer exist, remove the stale metadata for those domain controllers, restart the live domain controller, and try promotion again.

For more information, see article 2009385 in the Microsoft Knowledge Base.

If a warning indicates that there is no static IP address configured for an IPv6 address on a Windows Server 2008 domain controller, click Yes and complete the wizard.

If the check box for installing the DNS Server role is unavailable, either the Active Directory domain has a single-label DNS name or Dcpromo.exe cannot discover another Microsoft DNS server in the domain.

If you see the error message “A delegation for this DNS Server cannot be created because the authoritative parent zone cannot be found…,” see Known Issues for Installing and Removing AD DS (http://go.microsoft.com/fwlink/?LinkId=164418).

If you see the error message “The DNS zone could not be created...," see the Microsoft Knowledge Base.

If Event ID 16651 appears in the Directory Services log, see article 316201 (http://go.microsoft.com/fwlink/?LinkId=184855) in the Microsoft Knowledge Base.

If the system is unable to share SYSVOL, see the Microsoft Knowledge Base.

If Dcpromo fails with an error message that says “Failed to modify the necessary properties for the machine account. Access is denied,” make sure that administrators are granted the Enable computer and user accounts to be trusted for delegation permission in Default Domain Controllers Policy and that the policy has been linked to the Domain Controllers OU. Also make sure that the helper domain controller’s machine account resides in the Domain Controllers OU and that it has successfully applied policy. For more information, see article 232070 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=166198).

If Dcpromo fails with an error message that says “Active Directory could not create the NTDS Settings object for this domain controller,” see the Microsoft Knowledge Base.

In the domain controller is multihomed, disable host (A) resource record registration by network adapters that are not available to calls on the production network.

In the domain controller is multihomed and a network cable is not attached to a network adapter, disable unused network adapters to prevent them from registering host (A) resource records for APIPA assigned addresses (169.254.*.*) that can never be resolved by clients.